The malicious npm packages @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks have been discovered stealing Solana private keys and draining cryptocurrency wallets. These packages exploit the trust in Gmail’s SMTP servers to exfiltrate sensitive data and evade detection by security systems. The attackers employed two main techniques.
First, they used packages like @async-mutex/mutex and dexscreener to intercept and transmit private Solana keys via Gmail. Second, the packages solana-transaction-toolkit and solana-stable-web-huks programmatically drained victims’ wallets, transferring up to 98% of the contents to an attacker-controlled Solana address. Kirill Boychenko, a security researcher, noted, “Because Gmail is a trusted email service, these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems, which treat smtp.gmail.com as legitimate traffic.”
The malicious packages have been downloaded over 130 times, potentially compromising numerous developer accounts and environments.
Phishing attack impacts Solana security
The attackers also leveraged GitHub repositories to create a façade of legitimacy for unsuspecting developers. In 2024, the number of malicious packages found on open-source package managers surged by 1300% compared to 2020.
Researchers warned that AI-powered descriptions could inadvertently lend credibility to malicious packages, potentially guiding even cautious users toward installing harmful dependencies. Developers are urged to exercise caution when installing npm packages, especially those with low download counts or recent publication dates. It is recommended to use GitHub apps and CLI tools to scan dependencies for potential threats.
Cryptocurrency platforms and individual wallet holders should remain vigilant and ensure their accounts are secure. Regular audits of dependencies and strict access controls around private keys are crucial in mitigating such risks.
